Configuring Rate limiting plugin

Hi all,

My Kong is hosted on EC2 listening to port 8000. I have a lambda@edge on AWS cloudfront which calls Kong to do rate limiting. I need to do rate limiting for a consumer and not apis.

So basically I just want Kong to send a response back to Lambda telling me if that user is under the limit or not. But I am having trouble configuring service for this as the upstream server for me is the cloudfront itself (The one making call to Kong via lambda@edge).

Is there a way to get around this?

Thanks

I have another question. Is it required for a consumer to be authenticated if rate-limiting plugin is enabled? I currently have rate-limiting working but it is giving me 401 unauthorized.

Hi,
regarding the second question

Is it required for a consumer to be authenticated

I would say that if you want to apply the rate limiting on a consumer, you need to know which consumers did the API call. Knowing ‘which consumer’ is indeed performing authentication, otherwise I cannot see how link a request to a consumer.

Yes I understand.

So I created a key corresponding to the consumer and while making a request I am putting apiKey:{apiKey generated by Kong} in header. But this is still giving me a 401 response.

Can someone help me out on this. apiKey is not getting authenticated.

Could you detail the 401 message that you receive to see if the no apikey is found or if the apikey is considered as invalid

Things to consider:

  • how did you configure the key-auth plugin
    • is it enabled globally, on a service or on a route ?
    • which header field is used to send/find the api key. It is apikey by default but could be configured with the config.key_names field.
  • check the credentials of your consumer.
  • check your API request to confirm that you put the right header (matching the plugin configuration) and that the key is the one found in the consumer credentials

It should help to find where is the configuration issue. If you cannot solve the issue, I will send you the API admin requests to perform the verification (but I cannot at the moment)

Hi,

I was able to integrate the plugin correctly because now I see this message -

“message”: “Invalid authentication credentials”

The keyName is apikey which I am passing in the header with it’s value.
This is a long shot but is it something to do with Authorization header which I am passing along with apiKey. I need Authorization header for my upstream service which I cannot omit.

Can you suggest a fix for this?

" It should help to find where is the configuration issue. If you cannot solve the issue, I will send you the API admin requests to perform the verification (but I cannot at the moment) "

Can you share them now?

Hi,

  • to check your plugin configuration, assuming that the plugin is at a service level (could be route or global plugin). My service is named swapi-service.
http :8001/services/swapi-service/plugins?name=key-auth

{
    "data": [
        {
            "config": {
                "anonymous": null,
                "hide_credentials": false,
                "key_in_body": false,
                "key_names": [
                    "X-API-KEY"
                ],
                "run_on_preflight": true
            },
            "consumer": null,
            "created_at": 1556192265,
            "enabled": true,
            "id": "b5efaaa5-170c-49ec-87de-e57fc1534b9c",
            "name": "key-auth",
            "protocols": [
                "http",
                "https"
            ],
            "route": null,
            "run_on": "first",
            "service": {
                "id": "39be8c9c-c289-4c6c-85c7-7a60357977ba"
            },
            "tags": null
        }
    ],
    "next": null
}

You can see that my plugin is configured to read the API Key in the X-API-KEY field

  • To check the consumer configuration
    My consumer is named Consumer1 (you can retrieve the consumers with http :8001/consumers )
http :8001/consumers/Consumer1/key-auth/

{
    "data": [
        {
            "consumer": {
                "id": "0c2b5ac9-7668-44cd-ab06-7caa1c511552"
            },
            "created_at": 1556193025,
            "id": "d6a99977-a8dc-4c83-b121-03dce192c07a",
            "key": "123-nexDigital-456"
        }
    ],
    "next": null
}

You can see that the key for Consumer1 is 123-nexDigital-456

Then to perform the call (the route is set up with /sw path)
http :8000/sw/films/1/ X-API-KEY:123-nexDigital-456

With a wrong key
http :8000/sw/films/1/ X-API-KEY:123
The response is

{
    "message": "Invalid authentication credentials"
}

With a wrong header
http :8000/sw/films/1/ X-WRONG-HEADER:123-nexDigital-456
The response is

{
    "message": "No API key found in request"
}

Hope it helps.
You can consult a repository around rate limiting which describes the configuration of the plugin and consumers : https://github.com/nexDigitalDev/kong-ratelimiting-demo

https://github.com/nexDigitalDev/kong-ratelimiting-demo

This link should be part of your documentation. It clearly mentions the steps needed to integrate Kong and use it’s plugins.

Thanks a lot!